The 3GPP standardization organization has defined an architecture called GBA (“Generic Bootstrapping Architecture”) the aim of which is to allow the authentication of a mobile terminal so as to create a security association between the mobile terminal and an application. This architecture comprises a bootstrapping function server, termed BSF (“Bootstrapping Function Server”) which serves as trusted third party allowing the establishment of a security association between the terminal and the application
The authentication process used in this architecture is therefore effected in two stages, with a first process of authentication of the mobile terminal with the bootstrapping server BSF. This authentication phase makes it possible to establish between the terminal and the BSF a security association based on a shared key generated in the course of authentication. This shared key makes it possible thereafter to establish a security association between the terminal and an application having access to the BSF so as to retrieve the security hardware necessary for authenticating the terminal.
In the case where the mobile terminal seeks to connect via a non-3GPP access network, an additional step of attaching the terminal to the access network is performed beforehand, typically by using the EAP (Extensible Authentication Protocol) protocol, to authenticate the terminal so as to allow it to access the non-3GPP access network.
FIG. 1 illustrates this authentication process when a mobile terminal seeks to connect to an application via a non-3GPP access network.
In a first stage, the mobile terminal UE attaches to the non-3GPP access network, by addressing itself to an authentication server AAA/EAP by way of an access point AP of this network and by undertaking a first authentication using the EAP authentication protocol (step 105).
Once the terminal UE has attached to the non-3GPP access network, it can thereafter undertake a second authentication procedure with the GBA infrastructure. Thus, the terminal UE, furnished with a SIM card, authenticates itself firstly with a bootstrapping function server BSF (step 110), using a connection based on the http protocol (step 111).
The result of this authentication is a security key Ks, valid for a determined duration, provided by the bootstrapping server BSF. The bootstrapping server BSF also provides the terminal with a session identifier B-TID associated with the security key Ks, as well as the duration of validity of the key (step 113).
Subsequently, when the terminal desires to access an application APP, it authenticates itself mutually with this application APP (step 120), by opening a connection with this application APP (step 121), by indicating to this application that it desires to be authenticated according to the GBA technique, and by providing it with the session identifier B-TID.
The application APP then contacts the server BSF to provide it with the session identifier B-TID, and the server BSF responds to it by providing it with a new key K′ derived from the security key and from the name of the application (step 123). The terminal performs the same operations on its side (step 125).
Thus the terminal and the application has one and the same key K′ that they can use to authenticate themselves mutually and to secure the IP connection between them (step 127).
This authentication procedure therefore implies that the terminal opens its HTTP browser so as to be able thereafter to open an IP connection with the application, although this connection is not necessarily based on the HTTP protocol.
Moreover, the mobile terminal has previously authenticated itself with a server AAA of the access network, upon its attachment to the network, before authenticating itself with the bootstrapping server BSF. There is therefore dual-authentication of the mobile terminal, a first time upon its attachment to the network and then a second time to create a security association with the bootstrapping server BSF, thus giving rise to delays during access of the terminal to the application APP, increased complexity and increasing the message exchanges over the network.